PT-2025-43402

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.4.0 through 7.4.3.132 Liferay DXP versions 2025.Q2.0 through 2025.Q2.9 Liferay DXP versions 2025.Q1.0 through 2025.Q1.16 Liferay DXP versions 2024.Q4.0 through 2024.Q4.7 Liferay DXP versions 2024.Q3.1 through 2024.Q3....

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the AccountEntriesAdminPortletaddressId parameter. An attacker can access address information belonging to other accounts by specifying arbitrary identifiers. Remediation Upgrade...

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the comliferaychangetrackingwebportletPublicationsPortletctCollectionId parameter. An attacker can access unauthorized publication edit pages by manipulating this parameter. Remediati...

EUVD-2016-4695

Malware in sbrugna...

EUVD-2012-1722

Malware in sbrugna...

Stored Cross-site Scripting (XSS)

com.liferay, com.liferay.plugins.admin.web is vulnerable to Stored Cross-Site Scripting XSS. The vulnerability is due to improper input sanitization in the components tab, which allows an attacker to inject and execute arbitrary web scripts or HTML in the victim’s browser...

com.liferay:com.liferay.my.account.web (>=1.0.0 <=1.0.12), com.liferay:com.liferay.portal.settings.web (>=1.0.0 <=1.2.4) potentially affected by CVE-2025-43787 via com.liferay:com.liferay.users.admin.web (>=1.0.0 <=2.3.0)

com.liferay:com.liferay.users.admin.web MAVEN version =1.0.0, =1.0.0, =1.0.0, =1.2.4 Source cves: CVE-2025-43787 Source advisory: SNYK:JAVA-COMLIFERAY-12704859...

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via improper access control in the getValue for objects. An attacker can gain unauthorized access to, create, edit, or relate data and object entries or definitions across different virtu...

CVE-2025-43765

A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.13 and 7.4 GA through update 92 allows an remote non-authenticated attacker to inject...

Cross-site Request Forgery (CSRF)

Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via insufficient protection for omni-administrator users. An attacker can perform unauthorized actions on behalf of authenticated users by tricking them into submitting malicious requests. Remediation...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the profile picture upload. An attacker can cause significant service slowdowns by uploading a profile picture exceeding the intended size limit. Remediation Upgrade...

PT-2025-31872

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.4.3.80 through 7.4.3.132 Liferay DXP versions 2024.Q1.1 through 2024.Q1.19 Liferay DXP versions 2024.Q2.0 through 2024.Q2.13 Liferay DXP versions 2024.Q3.0 through 2024.Q3.13 Liferay DXP versions 2024.Q4.0 through...

CVE-2022-42119

Certain Liferay products are vulnerable to Cross Site Scripting XSS via the Commerce module. This affects Liferay Portal 7.3.5 through 7.4.2 and Liferay DXP 7.3 before update 8...

Insertion of Sensitive Information Into Sent Data

Overview Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data via the Control Panel. An attacker can obtain sensitive user information by enumerating user screen names and accessing the page's title. Remediation Upgrade...

PT-2024-20781 · Liferay · Liferay Dxp +1

Name of the Vulnerable Software and Affected Versions: Liferay Portal versions 7.2.0 through 7.4.1 Liferay DXP 7.3 before service pack 3 Liferay DXP 7.2 before fix pack 15 Description: The doAsUserId URL parameter may be leaked when creating linked content using the WYSIWYG editor while...

PT-2022-26278 · Liferay · Liferay Dxp +1

Name of the Vulnerable Software and Affected Versions: Liferay Portal versions 7.1.0 through 7.4.2 Liferay DXP versions 7.1 before fix pack 27 Liferay DXP versions 7.2 before fix pack 17 Liferay DXP versions 7.3 before service pack 3 Description: The issue is related to missing SSL certificate...

Liferay Arbitrary File Upload Vulnerability

Liferay is the U.S. Liferay company's set of J2EE-based portal solutions , it uses EJB and JMS and other technologies , and can be used as a Web publishing and sharing workspace , enterprise collaboration platforms , social networks and so on. A security vulnerability exists in Liferay 6.2.x and...